Firefox security flaw exposes Tor users’ IP addresses

A new exploit targeting users of Tor running Firefox has been uncovered – and the exploit, published yesterday, bears a remarkable similarity to a 2013 exploit used by the FBI in a sting operation.

It exploits a heap-overflow bug and enables malicious code to be run on targeted Windows PCs. Published on the Tor Project website, the flaw was verified by Tor co-founder Roger Dingledine. It consists of one HTML and one CSS file.

According to security specialists, the payload of the exploit is almost identical to one used by the FBI in 2013 to de-anonymise and identify the IP addresses of people visiting a child-rape website. “When I first noticed the old shellcode was so similar, I had to double check the dates to make sure I wasn’t looking at a three-year-old post,” suggested one security specialist.

The exploit takes advantage of a heap-overflow flaw, but requires Javascript to be enabled on the web browser. It is always recommended to switch Javascript off when using Tor if maximum security is required because of the security risks.

Currently, the exploit code points to IP address 5.39.27.226, which is a server hosted by OVH in France, which makes it unlikely that the FBI (or any other US agency) is behind it.